Channels

Services

BEAST creators develop new SSL attack

Security researchers Juliano Rizzo and Thai Duong – who released details of an attack on SSL/TLS last year, along with a tool called BEAST – are preparing to present a new attack on SSL/TLS at the Ekoparty Security Conference in Argentina later this month, according to Threatpost. The new attack has been given the name CRIME by the researchers.

The CRIME attack is based on a weak spot in a special feature in TLS 1.0, but exactly which that feature is has not been revealed by the researchers. They will say that all versions of TLS/SSL – including TLS 1.2, on which the BEAST attack did not work – are vulnerable. The researchers say that once they have placed themselves in the middle of a given network, they can sniff the HTTPS traffic and launch the attack. Their chosen way to get that position is by running JavaScript code in the victim's browser, but the attack doesn't rely on JavaScript.

The cipher suite doesn't matter, say the researchers, noting that one workaround for BEAST attacks was to switch from AES to RC4, but for CRIME that isn't important. The feature that CRIME is leveraging for its attack has, they say, not been a major subject for security research in the past, but for the attack to work it must be supported at the client and server.

Both Mozilla's Firefox and Google's Chrome web browsers are vulnerable to the attack, but the researchers say that both vendors have patches created to fix the problem that will be available in a few weeks.

Although risks around implementing the feature have been "superficially discussed," the researchers say they haven't found any research showing how efficient an attack could be. Conventional attacks against SSL connections almost always run as an SSL man-in-the-middle where the attacker tries to offer fake certificates to his victim to break the encrypted end-to-end connection. This was not the case with BEAST (Browser Exploit Against SSL/TLS); in that case it succeeded by using special tricks to crack the encryption from within the victim's browser. It could extract cookies and decrypt cookies for PayPal in under ten minutes. CRIME is expected to follow in these pioneering footsteps.